The War on Fakes

The fine that wakes everyone up (South Korea, February 2026). Louis Vuitton, Dior and Tiffany are fined 25 million dollars for the leak of 5.5 million clients' data. The regulator's verdict: a third-party tool does not erase the House's responsibility.

The risk now has a manual (OWASP, December 2025). The world's cybersecurity reference publishes its first Top 10 of risks specific to AI agents: identity spoofing, goal hijacking, memory poisoning. Named, the threat becomes treatable.

The trust gap (Gravitee, February 2026). 88% of organizations have already suffered an agent-related incident; 82% of leaders believe they are protected. All the danger is in that gap.

Proof goes to scale (Aura, Entrupy, Red Points, MarqVision). While AI fakes, AI certifies: 50 million products authenticated on Luxury's blockchain, a fake pulled in fifteen minutes. The shield exists — on the product.

Agents are finally getting an ID card (NIST, Microsoft, Okta). The standards and tools to prove an agent is really yours are reaching production. They remain to be adopted.

No industry has pushed the art of proof as far as Luxury. The guarantee hallmark goes back to the Middle Ages; the gemological certificate, the serial number, diamond traceability, the product's digital passport are its heirs. Proving that a thing is true: that is a craft Luxury has practiced for centuries.

And yet. The same House that would never let a necklace leave without a certificate lets software agents run that speak to its clients, open its files and commit its name — with no ID card, no trace, no guarantor. The diamond is certified; the agent that could cost millions is not.

The gap comes down to a simple reason. Luxury knows how to prove the material, because you can hallmark it and trace it. It does not yet know how to prove the immaterial — its image, its relationship, its agent — which is precisely what AI makes it possible to fake, and precisely what gives it its value. Faking has left the forger's workshop and entered the software. It is for proof to make the same journey.

Cybersecurity publishes the first manual of agentic risks

December 2025: OWASP — the world's reference foundation in application security — publishes its first Top 10 for Agentic Applications 2026, reviewed by more than a hundred experts. For the first time, the risks specific to agents have a name: goal hijacking (you redirect the agent toward another aim), identity abuse (you spoof or escalate its rights), memory poisoning (you inject false "truths" it will then apply). You cannot defend what you have not named; it is now named. The first question to put to your technical team fits in one line: are our agents audited against these ten risks, yes or no?

Source:

• OWASP, Top 10 for Agentic Applications 2026, 09/12/2025.

88% of companies already hit, 82% of leaders unworried

Two figures to read together, from Gravitee's State of AI Agent Security 2026 report (more than nine hundred executives and practitioners surveyed): 88% of organizations have experienced an agent-related incident in the year; 82% of leaders believe their rules protect them. What explains the gap? Only 21.9% of teams treat their agents as full-fledged identities; 45.6% make do with a single shared pass for all. An agent with no identity of its own is an employee without a badge: impossible to know who did what. The real risk is not the attack. It is the serenity of those who have never tested their defenses.

Sources:

• Gravitee, State of AI Agent Security 2026; VentureBeat, 02/2026.

The shield goes mechanical: proof reaches scale

While AI fakes, AI certifies — and on this ground, Luxury leads. The Aura consortium (LVMH, Prada, Cartier) has tied more than fifty million products to a verifiable digital passport, readable with a single scan; AI-driven platforms pull a fake in fifteen minutes, across more than a hundred countries. Proof, too, has its machine speed. What remains is to extend it beyond the object — I come back to that below; it is the whole point of this edition.

Sources:

• Aura Blockchain Consortium; Red Points; MarqVision, 2026.

Three agentic facts of the week, all sectors combined. None is a Luxury fact; each one touches how a House deploys and protects its agents.

1. An AI so good at finding flaws that no one dared release it — until June 9

On June 9, Anthropic released Fable 5, the first general-public model of the "Mythos" class — the AI that spots and exploits software vulnerabilities better than almost any human expert, more than ten thousand high- or critical-severity flaws found in major systems. Until now, the maker refused to release it, for fear it would be used to attack, and reserved it for a defensive circle (Apple, Google, Microsoft, AWS, among others, via Project Glasswing), expanded in early June to some one hundred and fifty additional organizations. The public version ships muzzled: cyberattack requests are automatically rerouted to a less capable model, and the full version, Mythos 5, stays reserved for vetted professionals. Why it matters: the power that finds flaws is no longer under lock and key; your poorly protected agents will be found. But the same AI defends — the counter is played through proof, not secrecy.

2. Europe makes software liable "without fault"

The new European product-liability directive (2024/2853) now explicitly counts software and AI among "products": the victim no longer has to prove negligence, only the defect, the harm and the link. Transposition by December 9, 2026. Why it matters: deploying an agent without documentation or traceability becomes a quantifiable legal risk. Keeping a record of what the agent does is no longer optional — it is a defense.

3. We are starting to give agents an ID card

On February 17, 2026, the U.S. institute NIST launched its AI-agent standardization initiative: apply existing identity standards (OAuth, OpenID) to agents, treat each one as a full-fledged identity, with its rights and its traces. Why it matters: this is the missing brick to prove an agent is really yours. Microsoft (Entra Agent ID) and Okta (Okta for AI Agents, opened in April 2026) already ship it in production.

Sources:

• Fortune, 04/2026; Cybersecurity Dive, 06/2026; Anthropic, 06/09/2026; CNBC, 06/2026.
• Gibson Dunn; Directive (EU) 2024/2853 — EUR-Lex.
• NIST; WorkOS, 02/2026.

Let us pick up Inverted Authenticity from edition #15. The reversal bore then on what AI copies: the product, the image. This week, it reaches what it does: the agent that acts in your name. Let us follow faking on its way up — two rungs where AI imitates, and where the counter exists; two rungs where it acts, and where almost everything remains to be invented. It is up there, on the agent, that the new of this edition is at stake.

To find your bearings, and decide, a reading grid — I call it from hallmark to protocol. Every proof Luxury forged for matter (the hallmark, the certificate, the serial number, the digital passport) must be reinvented for the immaterial (the image, the agreement, the agent), as a cryptographic protocol. One discipline of authentication, two worlds. At each rung that follows, a single question: what proof do I set against the fake, and does it already exist?

Rung 1 — Faking the object: the ground Luxury is already winning

The oldest, the best defended. AI industrializes counterfeiting: fake certificates generated on demand, fake listings written by language models. Entrupy's "State of the Fake 2026" report puts a number on it — Louis Vuitton remains the most counterfeited brand in the world, a third of the dubious pieces submitted for authentication bear its mark. But this is exactly where Luxury has already won: AI authentication (Entrupy, 99.86% reliability), the product's digital passport (Aura, fifty million items), the automated hunt for fake sites (Red Points, MarqVision). On this rung, the forger no longer wins. It is the model to carry up to the next ones.

Rung 2 — Faking the brand: the open worksite

One notch higher, it is no longer the object being copied: it is the House's identity. Netcraft has logged a hundred thousand AI-generated fake sites impersonating two hundred brands, and detects three thousand a day; Luxury is on the front line, because it is its name that gives the copy its value. Add the campaign deepfakes — five hundred thousand cases in 2023, more than eight million in 2025 — and the fake customer-service accounts. Those fake accounts are chatbots: they imitate your voice, they answer, but they do not yet act in your place. We are still in copying, the ground Luxury knows how to defend. The counter exists, it is mature, and it has an industrial name: the C2PA / Content Credentials standard (Adobe, Microsoft, the BBC, Intel) inscribes in every image a verifiable proof of origin — who created it, with which tool, what edits — and Google's SynthID watermark marks AI-generated content. Google deploys both across its search, Chrome and Gemini. The technology is there. What is missing is adoption: almost no House yet signs its content, and as long as the original is not signed, nothing distinguishes it, proof in hand, from its copy. The most overdue worksite — and the cheapest to launch.

Rung 3 — Faking the client and the agreement: the relationship in the crosshairs

Higher still, we fake the person and what they wanted. The Korean fine names the price: the files of wealthy clients are worth gold, and they leak through the human link. Experian, in its 2026 fraud forecast, names the rising threat "machine-to-machine mayhem": agents that pay and negotiate with no clear liability, and cloned voices to authorize transfers. HUMAN Security measures the tide — agent traffic surged 7,851% in a year, and a fraudulent agent now resembles an honest one to within half a point of detection score. The flip side is already visible: real agents, mandated by legitimate clients, get blocked as fraudsters — the "false decline" — and it is the client, at the other end, who feels turned away by the House without understanding why. The counter is being built: strong client identity, verifiable proof of intent, trust protocols between agents that Visa and NIST are putting in place. Luxury holds one asset here — it knows its clients better than anyone. It still has to protect that knowledge, not expose it as in Seoul.

Rung 4 — Faking the agent: the front no one masters

At the top, the real leap: we no longer copy, we fake the action. Two forms, and neither is a chatbot. Spoofing first. Tomorrow, your client's agent no longer types "customer service" into a window: it speaks directly to your House's sales agent to buy, pay, set an appointment. Let a crook have slipped in a fake agent under your name, and it is that one that closes the deal and pockets the money. Two machines negotiated, no human saw a thing, the money went to the impostor. Manipulation next. Your genuine agent — the one with the right to open a client file or issue a credit note — is hijacked by a hidden instruction. Microsoft Copilot's "EchoLeak" flaw showed it: a booby-trapped email makes it exfiltrate data without a single click. More insidious still, memory poisoning: you slip the agent a false rule it remembers and then applies to all — "clients of such-and-such profile are entitled to forty percent off" — and it will grant it without ever doubting it once ignored it. In both cases, the agent did not answer: it acted. The vector has a name a digital director must know, indirect prompt injection, and it often targets the MCP (Model Context Protocol), the protocol by which an agent calls its tools and its data. According to HiddenLayer, one AI breach in eight is now tied to an agentic system. The loyal agent becomes the weapon, without ever rebelling: that is what OWASP calls goal hijacking.

The counter is concrete, on the market, in two layers. The first, identity: a verifiable ID card per agent, as for an employee. Microsoft launched Entra Agent ID, Okta opened Okta for AI Agents in April 2026, both built on the standards NIST recommends. The gap is wide — according to Okta, 91% of companies already use agents, but only 10% know how to manage these non-human identities. Second layer, the guardrail: a filter that inspects what goes in and out of the agent to block booby-trapped instructions — Lakera Guard, NVIDIA's NeMo Guardrails, HiddenLayer. And, at the end of the road, the gesture closest to Luxury's DNA: cryptographically sign the agent, the way you hallmark a jewel. A signed agent is an agent you can prove is yours.

What Luxury has that the others do not

Niklas Luhmann showed it: trust is not a feeling, it is a mechanism — it spares us from verifying everything, without which no commerce would hold. George Akerlof, as early as 1970, drew the corollary: when the buyer can no longer tell true from false, the market collapses — unless a third party guarantees quality. Luxury has been that guaranteeing third party for two centuries; it is its rent. And Nelson Goodman, in Languages of Art (1968), tightened the knot: for some objects, value rests on origin as much as on appearance — a technically flawless fake Vermeer is still a fake. The Luxury object is one of those. Its distinction is, first, real and intrinsic: the material, the excellence of execution, the gesture of the hand. But you have to know the House and the category to read it, and copies have grown so fine — watchmaking counts counterfeits that are themselves beautiful objects, a few details short of the real — that the eye alone no longer decides. Proof then takes over from the gaze: as the fake catches up with the real on appearance, it is origin, attested, that makes the difference. That is why Luxury is not the victim of the agentic age, but its best-armed candidate. No other industry has made proof of authenticity a craft. Its task is not to learn trust — it already sells it — but to extend its proofs to what, yesterday, did not need any.

I go further. I am convinced that proof of agent will become, within three years, a selling argument as explicit as a diamond's certificate — not a line buried in a compliance report, but a promise made to the client. The House that can say "this agent is mine, and here is how I prove it" will sell better than the one that deploys it in silence. For Luxury, proof of authenticity has always been an argument as much as a protection. The agent will be no exception.

Decide at the top, secure day to day

Certifying your agents and your content is not a technical matter you delegate then forget. It engages trust, therefore the brand. Four moves, in order.

1. Give each agent an identity. No shared pass: a badge per agent, rights bounded to its function, a trace of everything. The tools are in production — Microsoft Entra Agent ID, Okta for AI Agents — paired with a guardrail (Lakera, NeMo Guardrails) that filters booby-trapped instructions. This is the basis still missing in nearly eight companies out of ten (Gravitee).
2. Sign what carries your name. Your campaign images, your press releases, tomorrow your agents: adopt the content-signing standard (C2PA / Content Credentials, deployed by Adobe and Google) so the original is provable and the copy, exposable.
3. Extend your product passport to the relationship. Aura proves the object; the same reflex must cover the client's data and the validity of an agreement struck by an agent. The know-how is there — it just has to move up a notch.
4. Name an owner on the committee. A member of the executive committee who answers, before the CEO, for what the agents do and prove in the House's name. Trust is too costly to be left without an owner.

The data and tech teams will inherit this burden — without necessarily having wanted or created it

A word, and it counts, for those who will handle it day to day: the data and tech teams — CIO, CTO, CISO, architects, developers, DevOps and SecOps engineers. We celebrate client experience, marketing, commerce; we rarely speak of those who, backstage, keep the whole thing standing. This edition is theirs too — doubly so, since the security of the agents will fall to them.

They did not create the problem: they almost always inherit it — an agent deployed in a rush by another team, a vendor chosen without them, a security debt they never took on. And then it falls to them to keep in production systems that, by nature, drift: rights pile up, access accumulates, memories get poisoned, agents become orphans of the human who mandated them. An agent is never "finished." It ages, it strays; it has to be watched, corrected, sometimes revoked.

Unspectacular work, essential — the software-side equivalent of the workshop that maintains the gesture while the boutique receives the praise. The security of an agent is not a project you ship: it is a state you maintain. Giving them the mandate, the means and the time to do it — instead of blaming them for a drift they were never allowed to prevent — is not a technical expense. It is, for the committee, the first decision.

Sources:

• OWASP Top 10 Agentic 2026; Entrupy, State of the Fake 2026; Microsoft Entra Agent ID; Okta for AI Agents; C2PA.

Let us return to the fine — it tells both the lag and the path. In February 2026, the Korean data-protection commission sanctioned three Houses of the LVMH group for the leak of more than 5.5 million clients' data. The detail of the breaches is more telling than the amount.

Louis Vuitton, 15 million dollars: an employee's device is infected with malware, which opens access to the client-management system hosted by a third party; 3.6 million clients exposed. Dior, 8.4 million: an employee is trapped by voice phishing, and 1.95 million clients are exposed; above all, the House had neither restrictions on bulk downloads nor inspection of access logs — the leak took more than three months to be discovered. Tiffany, 1.6 million: an employee is manipulated by voice phishing and hands over access; 4,600 clients exposed.

Three times the same pattern — and a single thread. The three breaches belong to one campaign, attributed to the ShinyHunters group, targeting the clients of one client-management platform, Salesforce. No firewall was forced: it is a human who was talked into opening the door. And it is the warning for what comes next. These breaches rested on the manipulation of an employee. Tomorrow, it will no longer be an employee, it will be an agent — one that does not grow wary, does not tire, and executes thousands of actions a day. The voice phishing that trapped a Tiffany adviser will become a hidden instruction that traps a customer-service agent, at scale.

The regulator ruled: using a third-party tool does not transfer responsibility. The House remains the guardian, even of what it has delegated.

The lesson is not "give up agents." It is "apply to them the discipline of proof you apply to your diamonds." The sanction did not strike an exotic flaw, but the absence of basic measures: no restriction, no access monitoring, no detection — exactly what is missing, today, from most agent deployments. Luxury has just paid 25 million for having forgotten it on human data. It can apply it to its agents before the next fine, or pay up again.

Sources:

• SecurityWeek; BleepingComputer; Jing Daily, 02/2026.

This edition is about protecting your agents. There is a twin question, upstream: what other people's agents — ChatGPT, Claude, Gemini, Perplexity, Mistral — say about you today, when a client asks them without ever passing through your site. That is what the Flash Agentic Footprint Audit measures.

No room for confusion with today's subject: this is not a cybersecurity audit, and it does not secure your agents. It is an audit of presence and visibility in generative AI — how your House is represented, cited, recommended or passed over inside these engines. A hundred calibrated questions in French and American English, five agents, five hundred answers scored across six intents of the client journey and six criteria, your place set against your real competitors. You will know whether the agent describes you faithfully, ignores you, or lets another House answer in your place when a client looks for one like yours. A decision dossier and a prioritized action plan, delivered to your executive committee. Built to decide, not to decorate.

Measure my footprint in AI →

Securing your own agents, this edition's subject, is a distinct and complementary worksite. If you want to talk it through, it is here — a single interlocutor, from measurement to decision.

Put the question to your CFO, and watch the silence settle. A House agent authorizes a massive refund on a booby-trapped instruction; or lets a file of wealthy clients leak; or bills the wrong amount to a thousand clients overnight. Who pays? The agent's vendor clears itself by contract. The insurer, for its part, is starting to exclude this kind of claim. As for the European directive, it names you as responsible for the product you sign with your name. The answer, today, is: you.

The real question for your committee, Monday, is therefore not "how much does our agent earn us?", but "what can it prove of what it does, and who, here, can stop it before?" An agent that leaves no proof is a risk debt lying dormant. An agent that proves each of its gestures is an asset you will be able to defend — before a client, a judge, an insurer.

Let us leave the news for the prospective. We have seen the threat and the first counters; the most interesting still happens in R&D. Here are four of the most advanced technologies of 2025-2026 on the proof and security of agents — and what a House could do with them. The thread does not change: from hallmark to protocol, extending to the agent the discipline of proof Luxury has applied to matter for centuries.

1. The hallmark placed on the decision itself (proof of inference)

The most prospective lead on the list is called zkML: a cryptographic proof attesting that a precise model did run on a precise input and produced the shown output — without ever revealing the algorithm or the data. Lagrange Labs delivered the first version able to prove the inference of a whole large language model, DeepProve, since open-sourced (Lagrange). One limit, plainly: producing the proof is computationally costly, so you reserve it for high-value decisions, not for every exchange. For a House: place a digital hallmark on the authentication verdict of a second-hand watch, on a price estimate, on a jewelry appraisal — proving it was indeed the House's approved model that rendered it, on its official data, without revealing either its algorithmic know-how or the client's file.

2. The AI workshop no one can see inside (confidential computing)

Running a model without the host — or anyone — being able to read the data, the instructions or the weights during the computation, with an attestation signed by the processor itself. NVIDIA embeds it in its chips, from the Hopper and Blackwell generations to the new Rubin (NVIDIA); Apple has just extended its Private Cloud Compute, with publicly verifiable transparency, beyond its own data centers (June 8, 2026, Apple). For a House: have its proprietary model — house style, creative archives, files of very wealthy clients, unreleased collections — run on a public cloud while being able to prove to a demanding client, or to a regulator, that nothing leaked or was retained. Discretion, a cardinal Luxury value, stops being a promise and becomes a demonstrable property.

3. Client confidentiality guaranteed by architecture, not by word (defense by design)

Rather than hardening the model, you surround it: you separate what the agent decides to do — its plan — from what it reads — possibly booby-trapped data — so that a hidden instruction in a document structurally cannot hijack it. This is the CaMeL approach, from Google DeepMind and ETH Zurich, still at the research stage, but with provable security, not merely probable (arXiv). For a House: a clienteling agent that reads a client's incoming emails. A booby-trapped message whispers "send this client's purchase history to such-and-such address"? It cannot execute it — the client's data is labeled "never leaves the file." The confidentiality of the relationship becomes an architectural guarantee, not a promise on one's honor.

4. The cryptographic doorkeeper: open only to the agents you recognize (agent identity + signed mandate)

Today, a site tells the good agent from the malicious bot poorly: it trusts the network address, which is forgeable. The new generation makes the agent prove who it is by signing its requests — Cloudflare's Web Bot Auth, under standardization (Cloudflare); Visa's Trusted Agent Protocol, which ties each purchase to a precise, non-replayable authorization (Visa); the signed mandates of Google's open AP2 protocol (Google Cloud). For a House: an online boutique that opens only to signed, recognized agents — a loyal client's personal agent, an approved concierge's — and shuts the door on scraping and speculation bots. At each sale, an opposable proof: this agent, mandated by this client, for this piece. Scarcity becomes governable in the age of agents; the allocation of a limited edition, defensible. The doorkeeper who recognizes the regulars, transposed to commerce between machines.

None of these four leads is science fiction: what is missing is not the technology, it is the decision to adopt it and marry it to the House's codes. The hallmark protected the goldsmith for six centuries; the protocol will protect the agent. Same gesture, other matter.

• The Gravitee report, State of AI Agent Security 2026. The gap between the real threat and leaders' serenity. Read it for the 88% versus 82%.
• OWASP Top 10 for Agentic Applications 2026. The grid of ten agentic risks, to hand to your technical team.
• Entrupy, State of the Fake 2026. AI-assisted counterfeiting, and the AI proof that answers it. Louis Vuitton, the most counterfeited brand in the world.
• Fortune and Cybersecurity Dive, on Mythos and Project Glasswing. The AI able to find ten thousand flaws, first kept under lock and key, then opened to the general public — muzzled — with Fable 5 on June 9. To grasp the asymmetry coming.
• My study The Client, the Brand, and the Agent (April 2026). The client-brand-agent triangle — the frame in which to place the question of proof.

Next week, the news of agentic Luxury concentrates in one place: VivaTech, June 17-20, where the Houses unveil their agents — those of LVMH, of beauty, of hospitality. I will be watching one precise thing: how many will speak of what their agents do, and how many of what they have put in place so that no one can spoof them, nor turn them against them.

Until then, a single instruction: ask your team for the list of your agents, their rights, their traces. If the list does not exist, you have your first emergency. A House worthy of the name must be able to prove who speaks and who acts in its name — especially when these are no longer only humans. Luxe oblige!